US11997215B2ActiveUtilityA1

Secret protection during software development life cycle

63
Assignee: SALESFORCE COM INCPriority: Jan 31, 2022Filed: Jan 31, 2022Granted: May 28, 2024
Est. expiryJan 31, 2042(~15.6 yrs left)· nominal 20-yr term from priority
H04L 9/3247G06F 21/602H04L 9/0894H04L 9/0838
63
PatentIndex Score
0
Cited by
12
References
20
Claims

Abstract

Techniques are disclosed relating to the protection of secrets within a software development lifecycle. Developers can use an encryption service to encrypt a secret to be used by an application within a package. The secret can be associated with the application, and then encrypted and included in a package that is signed and passed through a software automation pipeline to a data center that hosts the production server for the application. The application executing on the production server can request that the secret be decrypted by a decryption service after package verification. A developer can also specify, in a manifest file, a set of secrets needed for applications executing in the same data center. The manifest file may be passed from the software development environment to the data center, where the specified secrets are created and used by the applications without ever residing or being accessible outside the data center.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method, comprising:
 storing, at a storage location in a data center, a signed package that includes an encrypted version of a secret referenced by a first application, wherein the encrypted version of the secret has been encrypted by an encryption service using a symmetric key that has been generated using a data center public key of a data center key pair of the data center, and wherein the signed package includes information indicating that the secret is associated with the first application; 
 sending, by the first application executing on a production server within the data center, a request for a decrypted version of the secret to a decryption service executing within the data center; 
 the decryption service:
 verifying the signed package; 
 in response to the signed package being verified, deriving the symmetric key using a data center private key of the data center key pair; 
 decrypting the encrypted version of the secret using the symmetric key; and 
 returning the decrypted version of the secret to the first application. 
 
 
     
     
       2. The method of  claim 1 , wherein the symmetric key was generated by the encryption service using 1) the data center public key and 2) an ephemeral private key of an ephemeral key pair generated by the encryption service, and wherein the signed package includes an ephemeral public key of the ephemeral key pair; and
 wherein the decryption service is executable to decrypt the secret by deriving the symmetric key using 1) the data center private key and 2) the ephemeral public key. 
 
     
     
       3. The method of  claim 2 , wherein verifying the signed package includes verifying a signature of the signed package, the signature having been generated using a signing private key of a signing key pair, and wherein the verifying the signature is performed using a signing public key of the signing key pair, and wherein the signing key pair is backed by a key management service such that the signing public key is available to the decryption service. 
     
     
       4. The method of  claim 3 , wherein the signed package includes metadata indicating that the signed package is associated with the first application, and wherein verifying the signed package further includes the decryption service checking that an entity making the request is the first application. 
     
     
       5. The method of  claim 1 , wherein the signed package is received from a software automation pipeline that automatically performs compiling and testing of the first application. 
     
     
       6. The method of  claim 1 , wherein the secret is created by the encryption service based on specified secret parameters supplied to the encryption service. 
     
     
       7. The method of  claim 1 , wherein the decryption service executes within a container. 
     
     
       8. The method of  claim 1 , further comprising:
 receiving, at the data center, a manifest file for the first application, the manifest file specifying a set of secrets to be created for use by the first application; 
 creating the set of secrets and storing the created secrets within the data center for use by the first application while executing on the production server; and 
 wherein the created secrets are not accessible outside the data center. 
 
     
     
       9. A non-transitory, computer-readable storage medium storing program instructions that are capable of being executed by a computer system to perform operations that implement a decryption service within a data center, the operations comprising:
 receiving, from a first application executing on a production server within the data center, a request for a decrypted version of a secret that is encrypted in a signed package stored in a storage location within the data center, wherein the secret has been encrypted by an encryption service external to the data center using a symmetric key, the symmetric key being generated from a data center public key of a data center key pair of the data center; 
 verifying the signed package; 
 in response to the signed package being verified, deriving the symmetric key using a data center private key of the data center key pair; 
 decrypting the secret using the symmetric key; and 
 responsive to the request, returning a decrypted version of the secret to the first application. 
 
     
     
       10. The non-transitory, computer-readable storage medium of  claim 9 , wherein the symmetric key is generated by the encryption service using 1) the data center public key and 2) an ephemeral private key of an ephemeral key pair; and
 wherein the signed package includes an ephemeral public key of the ephemeral key pair; and 
 wherein the symmetric key is derived by the decryption service using 1) the data center private key and 2) the ephemeral public key. 
 
     
     
       11. The non-transitory, computer-readable storage medium of  claim 9 , wherein verifying the signed package includes verifying a signature of the signed package, the signature having been generated using a signing private key of a signing key pair, wherein verifying the signature is performed using a signing public key of the signing key pair, and wherein the signing key pair is backed by a key management service such that the signing public key is available to the decryption service. 
     
     
       12. The non-transitory, computer-readable storage medium of  claim 11 , wherein the signed package includes metadata indicating that the signed package is associated with the first application, and wherein verifying the signed package further includes the decryption service checking that an entity making the request is the first application. 
     
     
       13. The non-transitory, computer-readable storage medium of  claim 9 , wherein the decryption service is executable within a container. 
     
     
       14. The non-transitory, computer-readable storage medium of  claim 9 , the operations further comprising:
 receiving a manifest file specifying one or more secrets to be created in order to be used by the first application while executing in the data center; and 
 creating the one or more specified secrets and storing the created secrets within the data center for use by the first application while executing on the production server; and 
 wherein the created secrets are not accessible outside the data center. 
 
     
     
       15. A system, comprising:
 an encryption server configured to implement an encryption service that encrypts, in a signed package, a secret referenced by a first application, the encryption service encrypting the secret using a symmetric key generated from a data center public key; 
 a software automation pipeline comprising one or more computer systems, the software automation pipeline being configured to receive the signed package and perform automated operations using the first application, the automated operations including testing; and 
 a data center configured to receive, from the software automation pipeline, the signed package, wherein the data center includes a storage location configured to store the signed package, and further includes a plurality of computer systems configured to implement:
 a production server configured to execute a production version of the first application; and 
 a decryption service configured, in response to a request from the first application executing on the production, to verify the signed package, decrypt the secret after deriving the symmetric key, and return a decrypted version of the secret to the first application; and 
 
 a key management service (KMS) that stores a plurality of keys, including a data center key pair for the data center the data center key pair including a data center public key and a data center private key. 
 
     
     
       16. The system of  claim 15 , wherein the encryption service is executable to:
 generate an ephemeral key pair including an ephemeral private key and an ephemeral public key; 
 generate the symmetric key using the data center public key and the ephemeral private key; and 
 output the signed package by:
 including, in a package, an encrypted version of the secret, the ephemeral public key, and metadata indicating that the secret is associated with the first application; and 
 signing the package using a signing private key of a signing key pair to produce the signed package, the signing key pair being stored by the KMS. 
 
 
     
     
       17. The system of  claim 16 , wherein the decryption service is executable to verify the signed package by:
 verifying a signature of the signed package using a signing public key of the signing key pair; and 
 checking that a requesting entity making the request to the decryption service matches an indicated entity specified in the metadata. 
 
     
     
       18. The system of  claim 17 , wherein the decryption service is executable to:
 derive the symmetric key using the data center private key and the ephemeral public key, the data center private key being accessible only within the data center; and 
 decrypt the encrypted version of the secret in the signed package using the derived symmetric key to produce a decrypted version of the secret. 
 
     
     
       19. The system of  claim 18 , wherein the encryption and decryption services are implemented using containers. 
     
     
       20. The system of  claim 15 , wherein the software automation pipeline is configured to receive a manifest file specifying one or more secrets to be created in order to be used by the first application while executing in the data center, and output the manifest file to the data center; and
 wherein the data center is further configured to create the one or more specified secrets within the data center according to the manifest file and store the created secrets for use by the first application while executing on the production server such that the created secrets are not accessible outside the data center.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.